Enforce MFA second factor (Duo) for SP with IDP side config?
Losen, Stephen C (scl)
scl at virginia.edu
Thu Nov 15 15:17:52 EST 2018
Hi folks,
I have configured our IDP to enforce MFA second factor (Duo) if the SP requests an auth context class (ACC) that can only be satisfied by Duo. I believe this is the normal way to handle this.
However, I fear I am dealing with a SP (Workday) that does not support specifying an ACC in the auth request. So that means I may need to set this up on the IDP side. I can edit the SP metadata, but I don't think ACC is something that I can specify there (please tell me I'm wrong). Can ACC be specified in relying-party.xml?
I know I can do this with a context-check-intercept or else with an attribute release filter.
Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu 434-924-0640
More information about the users
mailing list